Browser security: Pwn2Own topples all but Chrome

ByAndrew HeiningMarch 24, 2009

Unless you're running Google's Chrome or squinting at these words on a mobile device, the answer could surprise you. And pipe down, Firefox fanboys – we're talking to you, too.

The Pwn2Own browser security competition, held this week at the CanSecWest conference in Vancouver, Canada, saw Internet Explorer, Firefox, and Safari all fall to exploits. But don't panic. Your browser's not suddenly in jeopardy: the vulnerabilities identified are never made public. In fact, the event affords companies and programmers a chance to fix holes in their software before hackers can use them to inflict real-world damage.

Safari was compromised in seconds, victim to a prepared attack that "allows a remote attacker to gain control of a machine by having a user click on a single malicious URL." Safari running on a Mac was the most-attacked browser at this year's conference this year, because "it's an easy target," according to last year's overall winner.

Internet Explorer, the world's most popular browser, fell next. Even with the latest security patches, Microsoft's IE yielded to a 25-year-old computer science student.

Firefox, which has long enjoyed a place as the geek browser of choice, was next to crack. ZDNet's Adrian Kingsley-Hughes asks whether the open-source web browser isn't at the end of its honeymoon period: "One complaint I find that’s directed at Firefox often is that the browser has shifted too far away from the early ideals of 'fast and secure' and has become bloated," he writes.

There are bugs in Chrome, but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

In other words, with so many unsecured browsers out there (Safari was called "low-hanging fruit" by more than one competitor) it's not worth it to a hacker to struggle through Chrome's multiple levels of security.

Choosing a secure browser is a lot like locking up a bike. You don't necessarily have to shell out for the most expensive impenetrable über-lock – just make sure to park next to someone whose bike is less securely locked than yours. With web browsing, that means use Google Chrome or stick to mobile browsing.